The perception of internal audit as a function that can add value in addition to enforcing compliance is placing importance on several objectives for internal auditors.
“I think the expectation from the executive suite has increased,” PwC’s Walter Smiechewicz, CPA, said in a telephone interview. “And they are looking for high quality from their internal audit groups. And that’s a challenge for the chief audit executive.”
Chief audit executives (CAEs) may need to increase the size and skill levels of their teams, conduct more frequent audits and look at new areas within their audit schedules, said Smiechewicz, a managing director for risk assurance in banking and capital markets for PwC. He said demand from top executives for internal audit services is increasing in banking organisations, and he predicts other industries are likely to experience the same demand.
Smiechewicz was a co-presenter in a recent PwC webcast on preparing internal audit for emerging risks in the financial services industry. That preparation includes attention in key areas including:
1. Looking forward. One part of internal audit’s job is to test past transactions to discover problems and control issues. But Smiechewicz said it’s important also to look forward, anticipate risks and help navigate the potentially choppy waters on the horizon.
The CAE can structure audit work to have more relevance in the executive suite to assist organisations with being profitable, providing good customer service and staying in compliance, Smiechewicz said.
2. Understanding strategy. To audit risks, an auditor needs to understand strategy, Smiechewicz said. For instance, organisations in many industries are using mobile apps and online platforms to expand their reach.
These include banking, pharmacy, retail, insurance and health care, just to name a few. The audit schedule should be structured to take into account the risks to these strategies, which may include outside market forces, competitors and new vendors, Smiechewicz said.
Issues related to digital commerce that internal auditors would be concerned with could include regulation, privacy and payment data accuracy. Regulatory and privacy issues will be top-of-mind, for example, for pharmacies whose customers use mobile devices to fill and track their prescriptions, and health-care providers whose doctors use online platforms to interact with patients, keep patient records and diagnose issues.
3. Developing talent. The competencies of the internal audit staff need to keep up with the evolution of the environment and the business, Smiechewicz said.
Take, for example, an organisation that is focusing on mobile and internet banking. Internal audit at that bank will need auditors with experience in mobile banking, cloud computing and other technologies customers are using, Smiechewicz said.
IT functions in many businesses are using internal and external cloud platforms, so Smiechewicz said it’s important for internal audit staffs to be proficient in IT general controls and governance around the cloud.
4. Leveraging technology. Internal auditors in banking traditionally have selected random transactions or qualified statistical samples to test in their audit work, Smiechewicz said. But now, because transactions are digitised, he said it’s possible to look at every transaction to find the anomalies and exceptions.
So rather than reporting a few exceptions, internal auditors can look at an entire lending portfolio to discover a problem that might be outside an organisation’s risk appetite. Armed with this information, executives can move beyond correcting the exceptions to consider how strategy or operations are delivering unexpected risk.
“So audit findings and recommendations can take on a whole new realm of value within the organisation,” Smiechewicz said.
Opportunities to leverage technology in all industries include tracking anomalies in accounts payable, payroll, inventory and operating revenue to operating expense; assessing all cash disbursements; and reviewing data within the procurement department, according to Smiechewicz.
5. Preparing for a wave of new regulations. Many new rules are coming in the wake of the financial crisis. In this environment, every internal audit memo should include a scope question about regulatory issues, according to Smiechewicz.
He said internal auditors have a duty to know who regulates their company and its departments, and research the regulations that might impact any internal audit being planned. Recent regulatory reports and upcoming regulatory activities should be included in the scope, Smiechewicz said.
In the heavily regulated financial services industry, every audit performed should include an assessment of regulatory risk, according to Smiechewicz. In addition, financial services organisations should perform distinct audits on a specific compliance issue across the entire organisation, making sure processes, controls and governance are strong across the organisation—and that exceptions and anomalies are reported upward in a timely fashion.
Management and boards of directors in financial services are eager for internal auditors to perform these duties, said Richard Reynolds, CPA, who leads PwC’s internal audit services practice for the banking and capital markets sector.
“There’s an expectation that audit is no longer just providing the facts from their audit work,” Reynolds said on the webcast, “but actually is providing management and the board an independent perspective or point of view on the overall risk profile of the organisation.”
—Ken Tysiac (firstname.lastname@example.org) is a CGMA Magazine senior editor.